From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 3 Mar 2022 15:03:38 +0000 (+0100)
Subject: 5.16-stable patches
X-Git-Tag: v4.9.305~100
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf6f1d5ccc8ed98aa0b8edc54956b0eefb860b92;p=thirdparty%2Fkernel%2Fstable-queue.git

5.16-stable patches

added patches:
	usb-gadget-clear-related-members-when-goto-fail.patch
	usb-gadget-don-t-release-an-existing-dev-buf.patch
---

diff --git a/queue-5.16/series b/queue-5.16/series
index a03d4e74863..efec9e75ddf 100644
--- a/queue-5.16/series
+++ b/queue-5.16/series
@@ -25,3 +25,5 @@ i2c-imx-allow-compile_test.patch
 i2c-qup-allow-compile_test.patch
 net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
 block-map-add-__gfp_zero-flag-for-alloc_page-in-func.patch
+usb-gadget-don-t-release-an-existing-dev-buf.patch
+usb-gadget-clear-related-members-when-goto-fail.patch
diff --git a/queue-5.16/usb-gadget-clear-related-members-when-goto-fail.patch b/queue-5.16/usb-gadget-clear-related-members-when-goto-fail.patch
new file mode 100644
index 00000000000..e34ee12eb57
--- /dev/null
+++ b/queue-5.16/usb-gadget-clear-related-members-when-goto-fail.patch
@@ -0,0 +1,43 @@
+From 501e38a5531efbd77d5c73c0ba838a889bfc1d74 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:38 +0800
+Subject: usb: gadget: clear related members when goto fail
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream.
+
+dev->config and dev->hs_config and dev->dev need to be cleaned if
+dev_config fails to avoid UAF.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1875,8 +1875,8 @@ dev_config (struct file *fd, const char
+ 
+ 	value = usb_gadget_probe_driver(&gadgetfs_driver);
+ 	if (value != 0) {
+-		kfree (dev->buf);
+-		dev->buf = NULL;
++		spin_lock_irq(&dev->lock);
++		goto fail;
+ 	} else {
+ 		/* at this point "good" hardware has for the first time
+ 		 * let the USB the host see us.  alternatively, if users
+@@ -1893,6 +1893,9 @@ dev_config (struct file *fd, const char
+ 	return value;
+ 
+ fail:
++	dev->config = NULL;
++	dev->hs_config = NULL;
++	dev->dev = NULL;
+ 	spin_unlock_irq (&dev->lock);
+ 	pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
+ 	kfree (dev->buf);
diff --git a/queue-5.16/usb-gadget-don-t-release-an-existing-dev-buf.patch b/queue-5.16/usb-gadget-don-t-release-an-existing-dev-buf.patch
new file mode 100644
index 00000000000..39f53f9de75
--- /dev/null
+++ b/queue-5.16/usb-gadget-don-t-release-an-existing-dev-buf.patch
@@ -0,0 +1,33 @@
+From 89f3594d0de58e8a57d92d497dea9fee3d4b9cda Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:37 +0800
+Subject: usb: gadget: don't release an existing dev->buf
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda upstream.
+
+dev->buf does not need to be released if it already exists before
+executing dev_config.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1826,8 +1826,9 @@ dev_config (struct file *fd, const char
+ 	spin_lock_irq (&dev->lock);
+ 	value = -EINVAL;
+ 	if (dev->buf) {
++		spin_unlock_irq(&dev->lock);
+ 		kfree(kbuf);
+-		goto fail;
++		return value;
+ 	}
+ 	dev->buf = kbuf;
+